rlebeau on http-proxy-keepalive
Updating TIdHTTPProxyServer.Com… (compare)
setsockopt()
when adding a local IP to the multicast group, which is done after the socket is bound locally. The local IP that is being passed in is 0:0:0:0:0:0:0
(aka in6addr_any
), which comes from the TIdSocketHandle.IP
property, which is updated after binding. If the socket is bound to a specific local IP and not to in6addr_any, the TIdSocketHandle.IP
property should not be all zeros. That implies a possible failure in TIdSocketHandle.UpdateBindingLocal()
. But no matter, because the local IP is not currently being passed to setsockopt(IPV6_ADD_MEMBERSHIP)
in IPv6, it is set to the default multicast interface instead. Maybe that is what iOS is complaining about.
I have still problems with HTTP and NTLM Proxy :( IdAuthenticationNTLM, IdAuthenticationSSPI, IdAuthenticationDigest are used in the interface uses section
For debugging I created event handler for every event of TIdHTTP with logging all method parameters.
First OnStatus
(with hsConnecting) will be fired, then OnStatus
again (with hsConnected), OnHeadersAvailable
, OnWorkBegin
(AWorkCountMax = 2609), OnWork
(AWorkCount = 2609) and OnWorkEnd
as last... No OnProxyAuthorization
or OnSelectProxyAuthorization
is called!
The received header is
Proxy-Authenticate: Negotiate
Proxy-Authenticate: NTLM
Date: Tue, 06 Jun 2017 09:07:12 GMT
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset="UTF-8"
Content-Length: 2609
Accept-Ranges: none
Proxy-Connection: keep-alive
The component will be created via
LHttp := TIdHTTP.Create(nil);
LHttp.ProxyParams.ProxyServer := LProxy.ProxyServer;
LHttp.ProxyParams.ProxyPort := LProxy.ProxyPort;
if LProxy.UseAuthentification then
begin
LHttp.ProxyParams.BasicAuthentication := True;
LHttp.ProxyParams.ProxyUsername := LProxy.Username;
LHttp.ProxyParams.ProxyPassword := LProxy.Password;
end;
LHttp.Request.UserAgent := 'My Client ' + CVersion; // WebServer will always accept this user agent
LHttp.OnAuthorization := HTTP1Authorization;
LHttp.OnChunkReceived := HTTP1ChunkReceived;
LHttp.OnConnected := HTTPConnected;
LHttp.OnDisconnected := HTTPDisconnected;
LHttp.OnHeadersAvailable := HTTP1HeadersAvailable;
LHttp.OnProxyAuthorization := HTTP1ProxyAuthorization;
LHttp.OnRedirect := HTTP1Redirect;
LHttp.OnSelectAuthorization := HTTP1SelectAuthorization;
LHttp.OnSelectProxyAuthorization := HTTP1SelectProxyAuthorization;
LHttp.OnStatus := HTTP1Status;
LHttp.OnWork := HTTP1Work;
LHttp.OnWorkBegin := HTTP1WorkBegin;
LHttp.OnWorkEnd := HTTP1WorkEnd;
LHttp.Get(LUrl, LFileStream, [CAccepted_WebServerResponses]);
Did I miss something?
I also have Wireshark logs of the Get-Trys. The first Get from Indy sends already a Proxy-Authorization in Basic, is that correct? But Answer is always HTTP/1.1 407 Proxy Authorization required
and there is no more traffic, no second attampt is maded. My biggest problem is, I have no test enviremont. Every change I do, I have to create a new binary and give it to a customer (which knows that they are experimental and, for now, is happy to be a alpha tester).
MauxAuthRetries
= 42. No success :(
BasicAuthentication
has to be set before you send a request, since it helps govern the type of authentication sent in the request. The only way to determine the server's desired authentication type(s) is to send a request, even if just HEAD
, and see how the server responds. The authentication(s) are specified in the response's WWW-Authenticate
and Proxy-Authenticate
headers. If you plan on having TIdHTTP handle authentication, hoInProcessAuth
should always be set. At the very least, it needs to be set before the response is parsed, so you could set it dynamically in the OnHeadersAvailable
event, for instance. If hoInProcessAuth
is not set, you have to handle authentication manually by checking the TIdHTTP.ResponseCode
and then setting the TIdHTTP.Request.Authentication
or TIdHTTP.Request.CustomHeaders.Values['Authorization']
on the next request.
hoInProcessAuth = True
and BasicAuthentication = False
and retry the GET request.MaxAuthRetries
is still on default = 3) request instead of 1. Every request still has a basic proxy-authorization set.
BASIC
request unless BasicAuthentication=True
, or the server actually requests Basic
in WWW-Authenticate
or Proxy-Authenticate
, or you force Request.Authentication
or ProxyParams.Authentication
to TIdBasicAuthentication
directly. When TIdHTTP receives 407, the only ways that OnSelectProxyAuthorization
would not be triggered are either 1) AuthProxyRetries
has exceeded MaxAuthRetries
, or 2) ProxyParams.Authentication
is already assigned an auth class. After an auth class has been assigned, the only ways that OnProxyAuthorization
would not be triggered are either 1) ProxyParams.ProxyPassword
is blank, or 2) the authentication class doesn't request user input (TIdAuthentication.Next()
does not return wnAskTheProgram
). You are going to have to step into Indy's souce code with the debugger to figure out what TIdHTTP is really doing during its 407 processing. TIdHTTP should be handling the retry requests for you. Make sure the credentials you are using are accurate. If they are not working, maybe the NTLM request is being malformed, so the proxy keeps rejecting it.
var
LIdHTTP : TIdHTTP;
LSSLIOHandler : TIdSSLIOHandlerSocketOpenSSL;
LRequestStr, LResult : String;
begin
LRequestStr := 'https://www.google.com';
LIdHTTP := TIdHTTP.Create(nil);
try
// Setup of TidHTTP that supposedly works with Squid SSPINTLM authentication.
LSSLIOHandler := TIdSSLIOHandlerSocketOpenSSL.Create(LIdHTTP);
LSSLIOHandler.SSLOptions.Method := TIdSSLVersion.sslvTLSv1_2;
LIdHTTP.IOHandler := LSSLIOHandler;
LIdHTTP.HandleRedirects := True;
LIdHTTP.AllowCookies := True;
LIdHTTP.ConnectTimeout := 10000;
LIdHTTP.ReadTimeout := 10000;
LIdHTTP.Request.BasicAuthentication := True;
LIdHTTP.HTTPOptions := LIdHTTP.HTTPOptions + [hoKeepOrigProtocol] + [hoInProcessAuth] + [hoNoProtocolErrorException] + [hoWantProtocolErrorContent];
LIdHTTP.ProtocolVersion := pv1_1;
LIdHTTP.ProxyParams.ProxyServer := 'proxy';
LIdHTTP.ProxyParams.ProxyPort := 3128;
LResult := LIdHTTP.Get(LRequestStr);
CheckEquals(200, LIdHTTP.ResponseCode);
finally
LIdHTTP.Free;
end;
end;
TIdHTTP.OnSelectProxyAuthorization
event if the TIdHTTP.ProxyParams.Authentication
property is not assigned, and then the TIdHTTP.OnProxyAuthorization
event to ask for new credentials if needed. Neither of which you have assigned event handlers to. If authentication cannot be performed at all (unsupported auth scheme, no credentials provided, retry limit reached, etc), TIdHTTP should exit if hoNoProtocolErrorException
is set, otherwise it will raise an exception. If authentication can proceed, TIdHTTP will try to perform it if hoInProcessAuth
is set, otherwise it should exit and you will have to send a new request with proxy authentication added.
CONNECT
verb. And yes, it is looped, because it may take multiple HTTP requests to satisfy authentication, HTTP redirects, etc. The loop is hard-coded to "False" because the number of iterations needed is unknown. The inner body of the loop needs to decide when to exit the loop. hoNoProtocolErrorException
was never intended to be used with proxy handling. The loop in question does not look at the return value of LLocalHTTP.ProcessResponse
to break the loop if needed. A similar loop is in TIdCustomHTTP.DoRequest()
, but it does look at the return value and act accordingly. So similar logic will have to be added to TIdCustomHTTP.ConnectToHost()
when communicating with a proxy
hoNoProtocolErrorException
and hoWantProtocolErrorContent
, and then catch the raised EIdHTTPProtocolException
. The response code will be in the exception's ErrorCode
property, and any body content will be in the ErrorMessage
property.
Thanks for the response, very much appreciated. I only added hoNoProtocolErrorException
(and hoWantProtocolErrorContent
) this morning as otherwise the code below the Get()
would never run etc. and when it failed, the raised exception didn't make it particularly obvious initially what had failed where (whereas having the Check like fail would've been rather more direct) so I thought I'd rather just stop the whole exception thing and check the result code, whatever it may be.
Anyway given what you've said however I'll remove these again and make do with catching the exception instead as suggested for now.
Aside from this I'm still puzzled about the test failing now with a 407 in the first place. I'm trying to understand and reconcile your explanation with the fact that this code was working previously through this proxy, and to add which works (still) with NTLMSSP via Chrome and Firefox with no problems.
So I'm slightly puzzled regarding the auth, how this worked at all in the past then, seemingly by some fluke, since if I understand you correctly you're implying that the above code could not auth properly against an NTLM proxy due to missing event handlers/properties? Or am I misunderstanding you? (I've added IdHTTPSSPI and IdHTTPNTLM units to the above code, which was previously missing to ensure these were registered but hasn't made a difference... shouldn't the presence of these units register the necessary handlers so that hoInProcessAuth
makes Indy deal with the authentication? I'm obviously being stupid about something... sorry!)
TIdSSPINTLMAuthentication
succeeds (SSPI uses credentials stored in the calling thread, and the OS handles the actual authentication data) whereas TIdNTLMAuthentication
fails (it requires username/password, and performs authentication manually). Just adding the IdAuthentication units to your uses
clause to register the classes does not guarantee success, you still have to make sure things are setup correctly in TIdHTTP
. There is just not enough information to go on to diagnose what the actual problem is. You are going to have to debug it further.
@rlebeau Thanks. The proxy was definitely not just allowing unauthenticated access previously. However there has been some changes to the proxy config I've been told to improve security so this adds an unknown, which apparently may result in 407 errors on some sites. Google however is not one of these.
Leaving that aside, I've however since discovered another variable, which is that Google seems to be processing the request differently to before.
That, is, it turns out that https://www.google.com
now returns a redirect (HTTP 302) and not a direct HTTP 200; It looks like, with Indy, this is being somehow associated to the tail end of Authentication processing and ends up in effect appearing as a 407 failure. (As opposed to with Chrome/Firefox where it redirects and works as expected.)
If I however change the code to directly fetch the HTTP redirected URL, then Indy succeeds to fetch the page via the proxy (with NTLMSSP) without issue and the test passes.
So, there still seems to be something strange going on. All else being equal I should not arguably be seeing different behaviour between the browser and an Indy client, on the same PC, using the same Windows login, working through the same proxy that only allows NTLM authentication, I'd say, in the case of an immediate redirect, wouldn't you agree? (Again, both Indy and browser works as expected if no immediate redirect is present and you just fetch the URL directly.)
As an aside, I traced the code and Indy is detecting NTLM as the (only requested/allowable) auth protocol from the proxy and automatically opting to use TIdSSPINTLMAuthentication
class, due to the registration of same in unit initialization. As you'll see I did start out adding handlers etc for OnSelectProxyAuthorization()
and OnProxyAuthorization()
but it turned out to be unnecessary.
type TAuth = class
procedure DoSelectAuthorization(Sender: TObject; var AuthenticationClass: TIdAuthenticationClass; AuthInfo: TIdHeaderList);
procedure DoProxyAuthorization (Sender: TObject; Authentication: TIdAuthentication; var Handled: Boolean);
end;
procedure TAuth.DoSelectAuthorization(Sender: TObject; var AuthenticationClass: TIdAuthenticationClass; AuthInfo: TIdHeaderList);
begin
//It turns out AuthenticateClass is already set to TIdSSPINTLMAuthentication by
//TIdCustomHTTP.DoOnProxyAuthorization when this event is called.
//
//It does this by inspecting AResponse.ProxyAuthenticate
//list to see what protocols are requested/supported by the proxy and then
//trying to look up a suitable registered class to use to handle the requirement.
//
//In our case this of course contains 'NTLM' which results in TIdSSPINTLMAuthentication
//being looked up as appropriate class to use.
//TIdSSPINTLMAuthentication gets looked up because this class was previously
//automatically registered by idAuthenticationSSPI unit initialization
//via line 1320 call to RegisterAuthenticationMethod('NTLM', TIdSSPINTLMAuthentication);
//which registers it into global "AuthList". It is registered by inclusion in uses clause
//via IdAuthenticationSSPI (or IdAllAuthentications).
//Consequently we don't have to provide anything here and I instead just
//assert here that we're using the expected auth class instead:
Assert(AuthenticationClass = TIdSSPINTLMAuthentication);
end;
procedure TAuth.DoProxyAuthorization (Sender: TObject; Authentication: TIdAuthentication; var Handled: Boolean);
begin
//This is never called? (Presumably since not applicable because with SSP (single sign-on protocol)
//the NTLM response is generated automatically.)
ShowMessage(Authentication.Authentication);
Assert(Authentication.Authentication <> '');
end;
procedure TTextMagicTests.test_SSL_proxy_access_to_google_via_NTLMSSP;
var
LIdHTTP : TIdHTTP;
LSSLIOHandler : TIdSSLIOHandlerSocketOpenSSL;
LRequestStr, LResult : String;
LAuth : TAuth;
begin
//Using 'https://www.google.com' as LRequestStr results in HTTP 302 from google
//which seems to result in what ends up looking like a 407 Indy Exception to
//the Delphi code...
//
//Why is this? It seems incorrect behaviour. Indy should just deal with the
//redirect, like a browser does faced with the same situation.
//
//Probably not the right diagnosis, but currently it seems Indy is seemingly
//conflating the 302 as the tail-end "error" of proxy auth protocol (maybe?)
//and is then surfacing the whole lot as the original 407 exception/response.
//
//However when using the redirected URL instead, the proxy auth works as expected
//and no problems occur, and the test passes. So there the SSPINTLM auth works
//correctly, aside from this specfic situation, it seems.
LRequestStr := 'https://www.google.co.uk/?gfe_rd=cr&ei=aeJQWc2JM6nHXpaklfgG';
LIdHTTP := TIdHTTP.Create(nil);
LAuth := TAuth.Create;
try
LSSLIOHandler := TIdSSLIOHandlerSocketOpenSSL.Create(LIdHTTP);
LIdHTTP.IOHandler := LSSLIOHandler;
LSSLIOHandler.SSLOptions.Method := TIdSSLVersion.sslvTLSv1_2;
//The following 2 lines are unnecesary as SSPI is used automatically due to
//registration of TIdSSPINTLMAuthentication as handler for NTLM.
//The proxy below only supports NTLM as well. They are kept in for context.
LIdHTTP.OnSelectProxyAuthorization := LAuth.DoSelectAuthorization;
LIdHTTP.OnProxyAuthorization := LAuth.DoProxyAuthorization;
LIdHTTP.HandleRedirects := True;
LIdHTTP.AllowCookies := True;
LIdHTTP.ConnectTimeout := 10000;
LIdHTTP.ReadTimeout := 10000;
LIdHTTP.HTTPOptions := LIdHTTP.HTTPOptions + [hoKeepOrigProtocol] + [hoInProcessAuth];
LIdHTTP.ProtocolVersion := pv1_1;
LIdHTTP.ProxyParams.Clear;
LIdHTTP.ProxyParams.BasicAuthentication := False;
LIdHTTP.ProxyParams.ProxyServer := 'proxy';
LIdHTTP.ProxyParams.ProxyPort := 3128;
try
LResult := LIdHTTP.Get(LRequestStr);
except
on E:EIdHTTPProtocolException do
begin
Fail('HTTP Error code: ' + IntToStr(E.ErrorCode));
end;
end;
CheckEquals(200, LIdHTTP.ResponseCode);
finally
LAuth.Free;
LIdHTTP.Free;
end;
end;
TIdHTTPProtocol.ProcessResponse()
. The very first thing it does after validating the response headers is check for a 3xx redirect and handle it, otherwise it checks for 4xx authentication and handle it, otherwise it checks for 2xx success and handles it, otherwise it fails.